CVE-2026-48190
Analyzed Analyzed - Analysis Complete

Incorrect Permission Handling in OTRS External Interface

Vulnerability report for CVE-2026-48190, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-01

Last updated on: 2026-06-15

Assigner: OTRS AG

Description

An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-01
Last Modified
2026-06-15
Generated
2026-07-11
AI Q&A
2026-06-01
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
otrs otrs From 7.0.0 (inc) to 8.0.37 (inc)
otrs otrs From 2023.0.0 (inc) to 2026.4.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is caused by incorrect handling of permissions in the OTRS External Interface and the ConfigItem List module. It allows an authenticated customer to query the system for Configuration Item (CI) information. For this vulnerability to be exploitable, the Configuration Management Database (CMDB) must be enabled and CustomerGroupSupport must be used.

Impact Analysis

The impact of this vulnerability is that an authenticated customer could gain unauthorized access to CI information within the system. This could lead to information disclosure, potentially exposing sensitive configuration details that should be restricted.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves incorrect handling of permissions in the OTRS External Interface and ConfigItem List module, allowing authenticated customers to query CI information when CMDB and CustomerGroupSupport are enabled.

No specific detection commands or network/system scanning methods are provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, update OTRS to version 2026.4.1 or later, where the issue has been patched.

Note that no patches will be provided for OTRS 7, so users of that version should consider upgrading to a supported version.

Immediate mitigation involves disabling the CMDB feature or CustomerGroupSupport if possible, to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48190. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart